Is your OnePlus phone downloading some GPS data over insecure channels? At least that’s what an exclusive report from PiunikaWeb suggests. It is claimed that OnePlus phones are downloading the almanac data via insecure HTTP channels. The issue was verified with the help of LineageOS contributor Louis Popi aka h2o64, and a bug report was filed to the OnePlus Forum in February.
According to the report, OnePlus engineers overrode standard AOSP (Android Open Source Project) policies and shipped debug build of gps.conf in OxygenOS, which forcibly (VENDOR_EDIT) enabled insecure XTRA data servers. PiunikaWeb has posted full screenshots of the code findings and what OnePlus is up to with these information.
Reportedly, this could lead an attacker to modifying position data of your phone’s GPS to guide you to a completely different path.
“Imagine a situation – you are using your phone’s GPS to navigate. Meanwhile a network-level attacker from their secret hideout is doing a man-in-the-middle attack and modifying the position data to guide you to a completely different path,” noted the report.
Having said that, report also mentions that OnePlus community moderator Funk Wizard acknowledged and escalated the issue that was reported in February a little later. OnePlus on Wednesday ensured that the issue will be fixed “in the upcoming updates” although the the erroneous code isn’t executing currently, however, PiunikaWeb‘s findings reveal otherwise.
Watch Video: OnePlus 6T Hands On / First Look
We have also reached out to OnePlus for the comment and will update the story when we get more information from the company.